Service abuse: Free provider with SendGrid routing

calendar Jan 8, 2026 · Attack surface reduction  ·
Share on: linkedin copy

Message From header includes a free email provider domain but is routed through SendGrid infrastructure, indicating potential service abuse for delivery evasion.

Sublime rule (View on GitHub)

 1name: "Service abuse: Free provider with SendGrid routing"
 2description: "Message From header includes a free email provider domain but is routed through SendGrid infrastructure, indicating potential service abuse for delivery evasion."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and sender.email.domain.domain in $free_email_providers
 8  and any(headers.domains, .root_domain == "sendgrid.net")
 9  and not any(ml.nlu_classifier(body.current_thread.text).intents,
10              .name == "benign"
11  )
12  and not any(ml.nlu_classifier(body.current_thread.text).topics,
13              .name == "Bounce Back and Delivery Failure Notifications"
14  )
15    
16tags:
17  - "Attack surface reduction"
18attack_types:
19  - "Credential Phishing"
20tactics_and_techniques:
21  - "Free email provider"
22  - "Evasion"
23detection_methods:
24  - "Header analysis"
25  - "Sender analysis"
26id: "3079cacb-2ab9-533a-bced-59545bd54d63"

Related rules

to-top